BestEdrOfTheMarket - Little AV/EDR Bypassing Lab For Training And Learning Purposes
Little AV/EDR Evasion Lab for training & learning purposes. (️ under construction..)
____ _ _____ ____ ____ ___ __ _____ _| __ ) ___ ___| |_ | ____| _ \| _ \ / _ \ / _| |_ _| |__ ___| _ \ / _ \/ __| __| | _| | | | | |_) | | | | | |_ | | | '_ \ / _ \| |_) | __/\__ \ |_ | |___| |_| | _ < | |_| | _| | | | | | | __/|____/_\___||___/\__| |_____|____/|_| \_\ \___/|_| |_| |_| |_|\___|| \/ | __ _ _ __| | _____| |_| |\/| |/ _` | '__| |/ / _ \ __|| | | | (_| | | | < __/ |_ Yazidou - github.com/Xacone|_| |_|\__,_|_| |_|\_\___|\__|
BestEDROfTheMarket is a naive user-mode EDR (Endpoint Detection and Response) project, designed to serve as a testing ground for understanding and bypassing EDR's user-mode detection methods that are frequently used by these security solutions.
These techniques are mainly based on a dynamic analysis of the target process state (memory, API calls, etc.),
Feel free to check this short article I wrote that describe the interception and analysis methods implemented by the EDR.
Defensive Techniques
- Multi-Levels API Hooking
- SSN Hooking/Crushing
- IAT Hooking
- Shellcode Injection Detection
- Reflective Module Loading Detection
- Call Stack Monitoring
In progress:
Usage
Usage: BestEdrOfTheMarket.exe [args] /help Shows this help message and quit /v Verbosity /iat IAT hooking /stack Threads call stack monitoring /nt Inline Nt-level hooking /k32 Inline Kernel32/Kernelbase hooking /ssn SSN crushingBestEdrOfTheMarket.exe /stack /v /k32BestEdrOfTheMarket.exe /stack /ntBestEdrOfTheMarket.exe /iatVia: www.kitploit.com
BestEdrOfTheMarket - Little AV/EDR Bypassing Lab For Training And Learning Purposes
Reviewed by Zion3R
on
18:42
Rating:
Reviewed by Zion3R
on
18:42
Rating:
